neconyd | c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093

General

Target

c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe
Size

35KB
MD5

cdfdfc6b39bf8aa959c22ed497b69a2e
SHA1

9912be4cf7cdfbebd2626867183c7c9416bc1c9d
SHA256

c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093
SHA512

f094e9b95797e92a256ae7025a5fde40b2fa7fa64f17ffb51aa48466e557ed2793f7ac432d5f1c158d431a68006a3332e46317d840cab42d1b3255f3087468fe
SSDEEP

768:N6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:A8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/3068-4-0x00000000003A0000-0x00000000003CD000-memory.dmp	UPX
behavioral1/memory/3068-10-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2184-13-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2184-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2184-16-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2184-18-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2184-21-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Windows\SysWOW64\omsecor.exe	UPX
behavioral1/memory/2184-31-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1736-34-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/1736-44-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1600-46-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1600-48-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1600-51-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1600-53-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2184 omsecor.exe
1736 omsecor.exe
1600 omsecor.exe

pid	process
2184	omsecor.exe
1736	omsecor.exe
1600	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exeomsecor.exeomsecor.exe

pid	process
3068	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe
3068	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe
2184	omsecor.exe
2184	omsecor.exe
1736	omsecor.exe
1736	omsecor.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/3068-4-0x00000000003A0000-0x00000000003CD000-memory.dmp	upx
behavioral1/memory/3068-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/2184-31-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1736-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1736-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1600-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1600-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1600-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1600-53-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3068 wrote to memory of 2184	3068	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe	omsecor.exe
PID 3068 wrote to memory of 2184	3068	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe	omsecor.exe
PID 3068 wrote to memory of 2184	3068	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe	omsecor.exe
PID 3068 wrote to memory of 2184	3068	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe	omsecor.exe
PID 2184 wrote to memory of 1736	2184	omsecor.exe	omsecor.exe
PID 2184 wrote to memory of 1736	2184	omsecor.exe	omsecor.exe
PID 2184 wrote to memory of 1736	2184	omsecor.exe	omsecor.exe
PID 2184 wrote to memory of 1736	2184	omsecor.exe	omsecor.exe
PID 1736 wrote to memory of 1600	1736	omsecor.exe	omsecor.exe
PID 1736 wrote to memory of 1600	1736	omsecor.exe	omsecor.exe
PID 1736 wrote to memory of 1600	1736	omsecor.exe	omsecor.exe
PID 1736 wrote to memory of 1600	1736	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe
"C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
c969e4d8611084ccb26c12fbde1f6d97

SHA1
e2bcc63fe01b638fffefb191d7582d543803c3d8

SHA256
f8feb1df2a4086581cdc552151cd22b8b328320c348f4d7245791ac3db3df8ff

SHA512
e5668caeadcc31163a12813d249aca09e48d3ffe28644f9280b7329239f31cf0f692a1a0f7592fca02680cad74146462a64a4cd92b960715fe1ec42936b358e8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
5e3a2939ce815978813937c945c9c3e8

SHA1
fb049348ff604350934847a88fec85d98396cccd

SHA256
6d6160a3cd56cef46aeb0b1ea67b223f54e41dba2afe9f826aa28976f6487683

SHA512
6c1f82461142cc2e546ee9d7962e1347187b98fd09bf6c1d88982b7114df6cd56ad0ae690bed7b4d032b347bb9fdf4cc8b9bd9e291dac22d31b4ff514c08cc89

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
3531b22a302b84a86b761a9c8a3e5449

SHA1
f014c4c73a04e5908d763abe2092442d6cff943c

SHA256
eb0a3af5322bc79b6d1eff07e7fc697250980d7ff90b06e8e5897c9c61e5c3a8

SHA512
6c2ae1a9f1bc5dba7f7360a3dca78f46053d2bcc235f3369d96a760bd809dbbe4f139db5a4a1345fe141baaf793c53ff6d3696d0a6a1eb81ca0f945f820e5920

Download Submit
memory/1600-53-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1600-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1600-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1600-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-32-0x00000000003C0000-0x00000000003ED000-memory.dmp

Filesize
180KB

Download
memory/2184-31-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-49-0x00000000003C0000-0x00000000003ED000-memory.dmp

Filesize
180KB

Download
memory/3068-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3068-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3068-4-0x00000000003A0000-0x00000000003CD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads